{\rtf1\ansi\ansicpg1252\cocoartf1138\cocoasubrtf510
{\fonttbl\f0\fswiss\fcharset0 ArialMT;\f1\froman\fcharset0 Times-Roman;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww18300\viewh14280\viewkind0
\deftab720
\pard\pardeftab720\sl340

\f0\fs30 \cf0 ====================
\f1\fs24 \

\f0\fs30 To the first reviewer:
\f1\fs24 \

\f0\fs30 ====================
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 Thanks for your review.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 1. As explained in the first paragraph in Sect. 3, we have used the criterion of citation popularity, similarly to other authors that surveyed papers on security in model driven development (e.g. [11]), for the selection of MDS approaches and associated literature. We agree that other criteria such as \'93maturity of applications in industry\'94 would also be interesting. Nevertheless, to the best of our knowledge, the presented MDS approaches are among the most mature ones, and they have some applications in industry or at least large case studies (e.g. references [15,18,20]).
\f1\fs24 \

\f0\fs30  
\f1\fs24 \

\f0\fs30 2. The use of an ontology is a very constructive advice. We noticed that all the studied approaches embed a composition metamodel in addition to the mappings allowing the specification of \'93common\'94 or \'93joint\'94 concepts. This is very similar to the use of an ontology. In this sense, an ontology could be used in our enhanced Y-Model to help in the composition of heterogeneous models.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 3. The quality of the figures will be improved to make them more readable. Typos will be corrected by proofreading again.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 ====================
\f1\fs24 \

\f0\fs30 To the second reviewer:
\f1\fs24 \

\f0\fs30 ====================
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 Thanks for your review.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 1. We considered backward traceability to help locating design flaws on higher-level models when a counterexample is found during the verification of lower-level models. We agree that forward traceability is also helpful for the automatic and/or incremental evolution [Lucio et al, Invariant Preservation in Iterative Modeling, ME\'9212] of lower-level models induced by changes on more abstract models. 
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 2. We will recheck our statements about the evaluated MDS approaches after a survey of other relevant publications not yet considered.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 3. The auto-generated tests are not intended to test the correctness of the transformation but security policy enforcement. 
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 4. Regarding flexible DSL workbenches, we agree that this could be an alternative solution. 
\f1\fs24 \

\f0\fs30 However, in both cases, a certain level of complexity is present: 1) at model composition, for the solution suggested in the paper; 2) when manipulating and/or extending large metamodels modularly, for the solution suggested by the reviewer.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 5. We will improve the quality of the figures and correct the typos.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 ====================
\f1\fs24 \

\f0\fs30 To the third reviewer:
\f1\fs24 \

\f0\fs30 ====================
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 Thanks for your review.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 1. In the first paragraph in Sect. 2.2, we use the "Y" concept because of the shape of our proposed evaluation schema, but no overlap with existing \'93Y\'94 concepts in other domains is intended. We provide one reference saying that this term is also used in other researchers' work, but, to the best of our knowledge, we are the first to use it in the MDS context. Figure 2 depicts the origin of the Y-Model (MDA) and its characteristics making it distinct from other MDE frameworks (separation of security concerns from other business concerns at the very beginning of the development lifecycle). We nevertheless agree that a survey of the usage of this term in other domains is helpful to avoid confusion in the use of the term.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720\sl340

\f0\fs30 \cf0 2. We agree that a concrete example could clarify our notion of heterogeneous MDS. However this exploratory paper cannot afford entering into details due to space limitations. We are currently working on a large case study demonstrating heterogeneity in MDS which leverages on existing MDS approaches.
\f1\fs24 \
\pard\pardeftab720
\cf0 \
\pard\pardeftab720

\f0\fs30 \cf0 3. We will improve the quality of the figures and correct typos.}